Re: [dnswl-users] Experimental dnswl.org feature - Abuse Reporting

[Matthias Leisi <matthias@xxxxxxxxx>]

(Re-sent to the list, and not to Alessandro only.)

On Sun, Jan 3, 2010 at 5:35 PM, Alessandro Vesely <vesely@xxxxxxx> wrote:

> Apparently, the basic idea is that a DNSWL-listed ID can get its score
> adjusted according to reported spam. Is that correct?

Yes and no. A single spam sample may not be sufficient justfiication
for score adjustment. Factors like a fast abuse response (if we know
about it, of course) and other reputation data are also taken into
account .

> Will the SMTP channel use ARF?

We will add features over time, and prioritize about what people need.
While the reporting is now open to the public, I do not yet consider
the core of it very mature, and I will postpone additional features a
bit.

> How is trust going to be weighted between the submitting user and the
> offending IP's operator?

Currently, all spam samples are equal. "Dynamic" rescoring based on
the submitters history/reputation is a possible enhancement.


>> 2) A regularly running script tries to add additional information to
>> your report - DNSWL Id, link to internally stored network ranges etc.
>
> Fine. Some external sources may also be relevant.

External sources are used since the beginning of our project (mostly
DNSBLs, but also some non-DNSBL-style reputation input).


>> 3) Editors review the reports and give three types of feedback:
>> ** Is it really spam/abuse?
>> ** Indicate what action has been taken (no action, rescore, delist, "other")
>> ** And actually execute the action
>
> Who is going to carry out such a job?!? Reading spam is really boring,
> and I don't think it makes sense to hire people for doing that...

Not every spam sample will be viewed. We will need to put up some
clever reporting to alert us of entries with a lot of incoming
samples, and we will need to incorporate the spam samples in our
manual judgement/rescoring.


> In general, do you plan to forward those abuse reports? I've tried to

Yes, we do. However, until now we did not collect explicit
(automatable) abuse addresses, and we need to find a way to either
manually or automatically (eg from our correspondence, or à la
Spamcop) assign workable contacts.

> depict reports flow in
> http://wiki.asrg.sp.am/wiki/Abuse_Reporting#The_Feedback_Loop_.28FBL.29_and_other_usage_of_abuse_reports
> where DNSWL would play the role of a "Reputation tracker". Any comment
> on that picture?

I don't think that dnswl.org can play the role of a generic reputation
tracker. Although the idea is interesting, it would take too much
resources outside of our primary focus (provide a whitelist).


>> 4) The user (again, you!) can see the progress of each report in the
>> web form (for the last 20 or so reports).
>
> Can the user retract? I'd guess reporters may make errors too... For
> SMTP submission in particular, as it eases automated abuse-report
> forwarding (as illustrated), situations may rise where it is difficult
> to identify a report's author correctly.

All reports are tied to a reporter (however we try to remove
identifying information from the reports sent to abuse contacts).
There is no "retract" feature yet, but depending on feedback, we may
increase the priority for such a feature.

-- Matthias